× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. November 2001

Re: FW: IBM AS/400 HTTP Server '/' attack

I use Net.Data for dynamic pages, and as a security precaution I have my static 
pages in
one source file and the macros in a different fiel.  The permissions are set so 
that
QTMHHTP1 can see the macros but not the static pages and QTMHHTTP can not see 
the
macros.  I tried puting a / at the end of an URL and I get a "File not found" 
message,
instead of the source code.  The page is there, but the default user has 
*EXCLUDE
__________________________________________________________________________________________________

"Hall, Philip" wrote:

> FYI....
>
> > -----Original Message-----
> > From: 'ken'@FTU
> > Sent: Thursday, November 08, 2001 8:42 AM
> > To: bugtraq
> > Subject: IBM AS/400 HTTP Server '/' attack
> >
> >
> >    IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
> > that will show the source code of the page -- such as an .html or .jsp
> > page -- by attaching an '/' to the end of a URL.
> >
> > Compare these two URL's:
> >
> > http://www.foo.com/getsource.jsp
> >
> > http://www.foo.com/getsource.jsp/
> >
> > The later URL will deliver the jsp source to the browser.
> >
> > I reported this problem to IBM approximately 9 or 10 months ago.
> >
> > I was told it was a bug but not a security vulnerability. When I
> > explained that Microsoft had a similar bug (asp dot bug) they told me
> > that "they did not share the same source code base." I replied to this
> > ludicrous reply: "Isn't it possible that since you developed servers
> > that function in a similar manner you have the same logical bug?" To
> > this they were speechless. I imagine that a .jsp page could
> > contain user
> > names and passwords if they are accessing databases,
> > especially if these
> > databases are on the network.
> >
> > By the way, the IBM HTTP server was derived from an early version of
> > Apache. I have not seen Apache servers vulnerable to this bug.
> >
> > Since I reported this "non-security" bug so long ago I hope
> > it is fixed
> > through the regular set of changes. I cannot confirm this bug
> > was fixed.
> > As far as I know this vulnerability was not yet reported to
> > the public.
> >
> > 'ken'

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.